Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for detecting malicious active processes and self-replicating executable binary files on a computing device in runtime, the method comprising: monitoring in runtime and in user mode at least one of a file creation event and a file modification event on a computing device; monitoring in runtime and in user mode a plurality of active processes running on a-said computing device to detect a new process creation event; extracting at least one unique identifier of each active process of said plurality of active processes which maps said active process to at least one executable binary file containing executable code of said active process; monitoring in runtime and in user mode at least one of creation and modification event of a plurality of files hosted by said computing device having an indication of a link to said detected new process creation event; identifying at runtime and in user mode a plurality of executable binary files among said plurality of files; monitoring at runtime and in user mode concurrent operation of a plurality of logical sensors which detect malicious behavioral patterns of said plurality of active processes and maintain at least one list of malicious behavioral pattern findings; identifying at runtime and in user mode at least one match between said at least one unique identifier of each active process and at least one of said plurality of executable binary files; and detecting at runtime and in user mode at least one suspected malicious active process of a suspected malware from said plurality of active processes and a corresponding at least one self-replicating executable binary file of said plurality of executable binary files according to said at least one match and said malicious behavioral pattern findings, wherein maintaining a binary files list of said plurality of executable binary files and an active processes list of records each of at least one unique identifier of each active process, and wherein said detecting at least one malicious active process comprises comparing records in said binary files list and said active processes list, wherein identifying a plurality of cloned files among said plurality of executable binary files; monitoring in runtime creation of at least one new process running on a computing device; extracting at least one unique identifier of said at least one new active process which maps said new active process to at least one executable binary file containing executable code of said new active process; and identifying said new active process as a cloned process according to a match between respective said at least one unique identifier of each active process and at least one of said plurality of cloned files.
2. The method of claim 1 , wherein said at least one unique identifier consists of a file path of at least one of said plurality of executable binary files according to an executable code of one of said active processes it contains, and at least one memory address value of an entry point of a respective said executable binary file and a pre-defined sequence of machine-code indicating self-replication.
3. The method of claim 1 , further comprising receiving and executing a defense policy of performing at least one response action upon detection of said at least one malicious active process and said at least one self-replicating executable binary file.
4. The method of claim 3 , wherein said at least one response action is a file response action selected from a group consisting of deleting, overwriting, marking, and monitoring said at least one self-replicating executable binary file.
5. The method of claim 3 , wherein said at least one response action is a process response action selected from a group consisting of monitoring, suspending, and terminating said malicious active processes suspected as malware.
6. The method of claim 3 , wherein said defense policy further comprises issuing at least one alert regarding execution of said at least one response action.
7. The method of claim 3 , further comprising searching for at least one heuristic self-replication indication prior to said performing at least one response action.
8. The method of claim 1 , further comprising employing analysis heuristics to perform calculations required for identification of malicious behavioral patterns of processes at runtime.
9. The method of claim 1 , further comprising receiving access to storage media and process management modules of said computing device.
10. The method of claim 1 , wherein said at least one list of malicious behavioral pattern findings is maintained by one of said plurality of logical sensors and is accessible to other of said plurality of logical sensors.
11. The method of claim 1 , further comprising comparing said malicious behavioral pattern findings with records of a database to determine said defense policy.
12. The method of claim 11 , wherein records of said database contain information selected from known suspicious patterns, legitimate and illegitimate applications, and publishers' credibility ratings.
13. The method of claim 11 , wherein said malicious behavioral pattern findings are used to assess severity and fidelity of said self-replicating executable binary file and wherein said severity and fidelity serve as criteria in determining a response action to be taken by said defense policy.
14. The method of claim 1 , wherein said indication of said link comprises temporal proximity.
15. A computer program product for detecting in runtime malicious active processes and self-replicating executable binary files suspected as malware on a computing device, said computer program product comprising a non-transitory computer readable non-transitory storage medium storing program code thereon for use by a processor, the program code comprising; first program instructions to monitor in runtime and in user mode at least one of a file creation event and a file modification event on a computing device second program instructions to monitor in runtime and in user mode a plurality of active processes running on a said computing device to detect a new process creation event; third program instructions to extract at least one unique identifier of each active process of said plurality of active processes which maps said active process to at least one executable binary file containing executable code of said active process; fourth program instructions to monitor in runtime and in user mode at least one of creation and modification event of a plurality of data files hosted by said computing device having an indication of a link to said detected new process creation event; fifth program instructions to identify in runtime and in user mode a plurality of executable binary files among said plurality of data files; sixth program instructions to monitor in runtime and in user mode concurrent operation of a plurality of logical sensors which detect malicious behavioral patterns of said plurality of active processes and maintain at least one list of malicious behavioral pattern findings; seventh program instructions to identify in runtime and in user mode at least one match between said at least one unique identifier of each active process and at least one of said plurality of executable binary files; and eighth program instructions to detect in runtime and in user mode at least one malicious active process of a suspected malware from said plurality of active processes and at least one self-replicating executable binary file of said at least one malicious active process according to said at least one match and said malicious behavioral pattern findings, wherein maintaining a binary files list of said plurality of executable binary files and an active processes list of records each of at least one unique identifier of each active process, and wherein said detecting at least one malicious active process comprises comparing records in said binary files list and said active processes list, wherein identifying a plurality of cloned files among said plurality of executable binary files; monitoring in runtime creation of at least one new process running on a computing device; extracting at least one unique identifier of said at least one new active process which maps said new active process to at least one executable binary file containing executable code of said new active process; and identifying said new active process as a cloned process according to a match between respective said at least one unique identifier of each active process and at least one of said plurality of cloned files.
16. A system for detecting in runtime malicious active processes and self-replicating executable binary files suspected as malware on a computing device, the system comprising: a processor; an interface module which acquires access to storage media and process management modules of a computing device; a process monitoring module which monitors in runtime and in user mode at least one of a file creation event and a file modification event of a plurality of active processes running on said computing device, and extracts at least one unique identifier of each active process of said plurality of active processes which maps said active process to at least one executable binary file containing executable code of said active process; a file monitoring module which monitors in runtime and in user mode creation and modification of a plurality of files hosted by said storage media and identifies a plurality of executable binary files among said plurality of files occurring in proximity to said at least one of said file creation event and said file modification event; and a self-replication detection module which identifies in runtime and in user mode at least one match between said at least one unique identifier of each active process and at least one of said plurality of executable binary files and detects in runtime and in user mode at least one malicious active process of a malware from said plurality of active processes and at least one self-replicating executable binary file of said at least one malicious active process according to said at least one match, wherein maintaining a binary files list of said plurality of executable binary files and an active processes list of records each of at least one unique identifier of each active process, and wherein said detecting at least one malicious active process comprises comparing records in said binary files list and said active processes list, wherein identifying a plurality of cloned files among said plurality of executable binary files; monitoring in runtime creation of at least one new process running on a computing device; extracting at least one unique identifier of said at least one new active process which maps said new active process to at least one executable binary file containing executable code of said new active process; and identifying said new active process as a cloned process according to a match between respective said at least one unique identifier of each active process and at least one of said plurality of cloned files.
17. The system of claim 16 , wherein said interface module further acquires at least one defense policy of a plurality of response actions to be performed on said at least one malicious active process and said at least one self-replicating executable binary file, and further comprising a defense policy execution module which executes said defense policy on each said at least one malicious active process and each said at least one self-replicating executable binary file.
18. The system of claim 16 , wherein said plurality of response actions comprise at least one of: file operations selected from a group consisting of deleting, overwriting, marking and monitoring said at least one self-replicating executable binary file; and process operations selected from a group consisting of monitoring, suspending and terminating said at least one malicious active process suspected as malware.
Unknown
November 1, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.